Tuesday, November 18, 2025

PAW/SAW device filter refers to a device filtering technique in Entra ID

Standard

 PAW/SAW device filter refers to a device filtering technique used in Microsoft Entra ID (formerly Azure AD) Conditional Access policies. Administrators apply it to target or exclude specific devices based on attributes, often to enforce secure administrative access.



Key Concepts

  • PAW → Privileged Access Workstation: A hardened, locked-down device (physical or virtual) that privileged users (e.g., admins) must use for sensitive tasks, such as accessing Microsoft 365 admin portals, Azure resources, or PowerShell. PAWs reduce attack surface by isolating admin activities from everyday workstations.
  • SAW → Secure Access Workstation (or sometimes Secured Admin Workstation): A similar but slightly lower-tier concept than PAW, used for elevated but not fully privileged access. Some organizations and Microsoft guidance use PAW/SAW interchangeably or as a hierarchy (PAW for highest privilege, SAW for mid-tier).

How the "Device Filter" Works in Conditional Access

Microsoft Entra Conditional Access includes a "Filter for devices" condition (available since ~2021, now generally available). This allows policies to include/exclude devices matching rules based on device properties, such as:

  • device.extensionAttribute1 (commonly used)
  • device.trustType
  • device.isCompliant
  • device.displayName
  • device.deviceId, etc.

A frequent pattern for PAW/SAW enforcement:

  1. Mark approved PAW/SAW devices in Entra ID by setting a custom attribute (e.g., extensionAttribute1 = "PAW" or "SAW").
  2. Create a Conditional Access policy targeting privileged users/roles:
    • Block access to sensitive cloud apps (e.g., Azure Management API, Microsoft 365 admin centers).
    • Under Conditions → Filter for devices → Configure → Exclude filtered devices where extensionAttribute1 Equals PAW (or SAW).
    • Result: Admins can only sign in from tagged PAW/SAW devices; all others are blocked.

This forces privileged actions from secure workstations only, aligning with Zero Trust and Microsoft’s privileged access strategy.

Why "PAW/SAW" Together?

Documentation and community guidance often mention both:

  • PAW for the most sensitive roles (e.g., Global Admins).
  • SAW as a stepped-down version for less-critical elevated access.
  • The same device filter technique applies to both.

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)